Privacy and Security in the Digital Age

The Coming “Internet of Things” Will Have a Dark Side

Catherine Crump and Matthew Harwood

Catherine Crump is a staff attorney with the ACLU’s Speech, Privacy and Technology Project. Matthew Harwood is senior writer/editor and media strategist for the ACLU.

Estimates vary, but by 2020 there could be over 30 billion devices connected to the Internet. Once dumb, they will have smartened up thanks to sensors and other technologies embedded in them and, thanks to your machines, your life will quite literally have gone online.

The implications are revolutionary. Your smart refrigerator will keep an inventory of food items, noting when they go bad. Your smart thermostat will learn your habits and adjust the temperature to your liking. Smart lights will illuminate dangerous parking garages, even as they keep an “eye” out for suspicious activity.

Techno-evangelists have a nice catchphrase for this future utopia of machines and the never-ending stream of information, known as Big Data, it produces: the Internet of Things. So abstract. So inoffensive. Ultimately, so meaningless.

A future Internet of Things does have the potential to offer real benefits, but the dark side of that seemingly shiny coin is this: companies will increasingly know all there is to know about you. Most people are already aware that virtually everything a typical person does on the Internet is tracked. In the not-too-distant future, however, real space will be increasingly like cyberspace, thanks to our headlong rush toward that Internet of Things. With the rise of the networked device, what people do in their homes, in their cars, in stores, and within their communities will be monitored and analyzed in ever more intrusive ways by corporations and, by extension, the government.

And one more thing: in cyberspace it is at least theoretically possible to log off. In your own well-wired home, there will be no “opt out.”

You can almost hear the ominous narrator’s voice from an old “Twilight Zone” episode saying, “Soon the net will close around all of us. There will be no escape.”

Except it’s no longer science fiction. It’s our barely distant present.

Home Invasion

“[W]e estimate that only one percent of things that could have an IP address do have an IP address today, so we like to say that ninety-nine percent of the world is still asleep,” Padmasree Warrior, Cisco’s Chief Technology and Strategy Officer, told the Silicon Valley Summit in December. “It’s up to our imaginations to figure out what will happen when the ninety-nine percent wakes up.”

Yes, imagine it. Welcome to a world where everything you do is collected, stored, analyzed, and, more often than not, packaged and sold to strangers—including government agencies.

In January, Google announced its $3.2 billion purchase of Nest, a company that manufactures intelligent smoke detectors and thermostats. The signal couldn’t be clearer. Google believes Nest’s vision of the “conscious home” will prove profitable indeed. And there’s no denying how cool the technology is. Nest’s smoke detector, for instance, can differentiate between burnt toast and true danger. In the wee hours, it will conveniently shine its nightlight as you groggily shuffle to the toilet. It speaks rather than beeps. If there’s a problem, it can contact the fire department.

The fact that these technologies are so cool and potentially useful shouldn’t, however, blind us to their invasiveness as they operate 24/7, silently gathering data on everything we do. Will companies even tell consumers what information they’re gathering? Will consumers have the ability to determine what they’re comfortable with? Will companies sell or share data gathered from your home to third parties? And how will companies protect that data from hackers and other miscreants?

The dangers aren’t theoretical. In November, the British tech blogger Doctorbeet discovered that his new LG Smart TV was snooping on him. Every time he changed the channel, his activity was logged and transmitted unencrypted to LG. Doctorbeet checked the TV’s option screen and found that the setting “collection of watching info” was turned on by default. Being a techie, he turned it off, but it didn’t matter. The information continued to flow to the company anyway.

As more and more household devices—your television, your thermostat, your refrigerator—connect to the Internet, device manufacturers will undoubtedly follow a model of comprehensive data collection and possibly infinite storage. (And don’t count on them offering you an opt-out either.) They have seen the giants of the online world—the Googles, the Facebooks—make money off their users’ personal data and they want a cut of the spoils. Your home will know your secrets, and chances are it will have loose lips.

The result: more and more of what happens behind closed doors will be open to scrutiny by parties you would never invite into your home. After all, the Drug Enforcement Administration already subpoenas utility company records to determine if electricity consumption in specific homes is consistent with a marijuanagrowing operation. What will come next? Will eating habits collected by smart fridges be repackaged and sold to healthcare or insurance companies as predictors of obesity or other health problems—and so a reasonable basis for determining premiums? Will smart lights inform drug companies of insomniac owners?

Keep in mind that when such data flows are being scrutinized, you’ll no longer be able to pull down the shades, not when the Peeping Toms of the twenty-first century come packaged in glossy, alluring boxes. Many people will just be doing what Americans have always done—upgrading their appliances. It may not initially dawn on them that they are also installing surveillance equipment targeted at them. And companies have obvious incentives to obscure this fact as much as possible.

As the “conscious home” becomes a reality, we will all have to make a crucial and conscious decision for ourselves: Will I let this device into my home? Renters may not have that option. And eventually there may only be internet-enabled appliances.

Commercial Stalking

The minute you leave your home, the ability to avoid surveillance technologies masquerading as something else will, if anything, lessen.

Physical sensors connected to the Internet are increasingly everywhere, ready to detect a unique identifier associated with you, usually one generated by your smartphone, then log what you do and leverage the data you generate for insight into your life. For instance, Apple introduced iBeacon last year. It’s a service based on transmitters that employ Bluetooth technology to track where Apple users are in stores and restaurants. (The company conveniently turned on Bluetooth by default via a software update it delivered to Apple iPhone owners.) Apps that use iBeacon harvest a user’s data, including his or her location, and sometimes can even turn on a device’s microphone to listen in on what’s going on.

Another company, Turnstyle Solutions Inc., has placed sensors around Toronto that surreptitiously record signals emitted by WiFienabled devices and can track users’ movements. Turnstyle can tell, for instance, when a person who visited a restaurant goes to a bar or a hotel. When people log-on to WiFi networks Turnstyle has installed at area restaurants or coffee shops and check Facebook, the company can go far beyond location, collecting ”names, ages, genders, and social media profiles,” according to the Wall Street Journal.

The rationale for apps that track where you are is that business owners can use the data to tailor the customer experience to your liking. If you’re wandering around the male grooming section of a particular retailer, the store could shoot you a coupon to convince you to purchase that full body trimmer that promises a smooth shave every time. If customers enter Macy’s and zig right more often than left, the store can strategically place what’s popular or on sale in those high-traffic areas. This is basically what’s happening online now, and brick and mortar stores want in so they can compete against the Amazons of the world.

Not so surprisingly, however, such handy technology has already led to discriminatory behavior by retailers. About a year ago, an investigation by theWall Street Journal found that prices quoted by online retailers like Staples and Home Depot changed based on who the customer was. People who lived in higher-income areas generally received the best deals, which is a form of digital redlining. In the future, count on brick and mortar stores to do the same thing by identifying your phone, picking up data about you, and pricing items according to just how juicy a customer they think you may be.

To be able to do this, retailers need companies that can provide rich data about our lives. That’s where a group of pioneering companies in the new universe of customer surveillance called data aggregators come in. Already a multibillion-dollar industry, aggregators like Acxiom, Experian, and Datalogix buy customer data from wherever they can—banks, travel websites, retailers— and turn it into Big Data. Then they analyze, package, and sell it to third parties. “Our digital reach,” said Scott Howe, CEO of the largest data aggregator, Acxiom, “will soon approach nearly every Internet user in the U.S.”

Last December, the Senate Commerce Committee investigated the business practices of the nine largest data aggregators: what information they collect, how they obtain it, their invasiveness, and who they sell it to. The committee found that these companies collect information ranging from the relatively mundane to the incredibly sensitive, including names and addresses, income levels, and medical histories. They then sell it off without giving serious consideration to what the buyers might do with it.

In the process, you could find yourself categorized as part of a group of “Mid-Life Strugglers: Families” or “Meager Metro Means” or “Oldies but Goodies,” which aggregator InfoUSA described as “gullible” people who “want to believe their luck can change.” Think of it as high-tech commercial profiling of the most exploitative sort.

“Invasion of the Data Snatchers: Big Data and the Internet of Things Means the Surveillance of Everything,” Catherine Crump and Matthew Harwood, TomDispatch.com. Reprinted by permission.